DDoS & DoS

Questions and Answers

What is the primary goal of a DDoS attack?

• To retrieve data from a target server
• To disrupt normal traffic to a targeted server (correct)
• To analyze user behavior on a network
• To increase the speed of a network connection

What term is used to describe the group of infected devices used in a DDoS attack?

• Network cluster
• Data swarm
• Botnet (correct)
• Traffic network

How do DDoS attacks typically manage to overwhelm a target?

• By integrating with cloud services
• By utilizing advanced encryption techniques
• By sending a large volume of requests from infected devices (correct)
• By redirecting legitimate traffic to secondary servers

What makes separating attack traffic from normal traffic challenging during a DDoS attack?

Legitimacy of devices involved in the attack (A)

What is NOT a potential sign of a DDoS attack?

A sudden increase in legitimate traffic (B)

What type of attack is a DDoS attack classified as?

A subcategory of denial-of-service attack (B)

Which of the following tools can help indicate a DDoS attack?

Traffic analytics tools (A)

What is the primary difference between a DoS attack and a DDoS attack?

A DoS attack uses one device, while a DDoS attack employs thousands or millions of devices. (A)

Which method can be used to help minimize the effect of DDoS attacks?

Implementing a load balancer. (A)

What is the role of Anycast in DDoS prevention?

It helps absorb traffic spikes by distributing the load. (B)

How does caching contribute to DDoS defense strategies?

It stores copies of content to reduce server strain. (C)

What is the purpose of rate limiting in network security?

To regulate the amount of traffic from specific IP addresses. (C)

What does a web application firewall (WAF) primarily do?

Filters and blocks malicious HTTP traffic. (D)

Which factor is crucial for an effective DDoS threat defense?

Scalable DDoS mitigation tools. (D)

Which of the following is NOT a method for reducing a network's attack surface?

Opening all ports for better access. (B)

Flashcards are hidden until you start studying

Study Notes

DDoS Attack Overview

• A Distributed Denial-of-Service (DDoS) attack disrupts normal traffic by overwhelming a target with an influx of internet traffic.
• This attack utilizes multiple compromised computers and devices, forming a botnet to send requests simultaneously.
• DDoS is like a traffic jam on a highway, preventing regular traffic from reaching its destination.

DDoS Attack Mechanics

• A botnet consists of compromised devices controlled remotely by an attacker.
• Each infected device (bot) is instructed to send simultaneous requests to the target's IP address, leading to server overload and denial of service.
• Attack traffic originating from legitimate devices makes identification difficult.

DDoS attack Identification

• The most noticeable sign is a website or service abruptly becoming slow or unavailable.
• Traffic analytics tools can help identify suspicious traffic patterns:
  • Large amounts of traffic from a single IP or range.
  • Traffic from users sharing identical behavioral profiles (device type, location, browser).
  • Sudden increase in requests to a specific page or endpoint.
  • Unusual traffic spikes at unexpected hours.
• Other specific indicators may vary depending on the attack type.

Understanding DDoS and DoS

• DDoS is a subcategory of Denial-of-Service (DoS) attacks.
• In DoS attacks, a single internet connection is used to barrage a target with bogus requests or exploit vulnerabilities.
• DDoS differs by employing thousands or even millions of devices, making it larger in scale and significantly harder to combat.

DDoS Prevention Techniques

• A proactive defense involves combining attack surface reduction, threat monitoring, and scalable mitigation tools.
• Attack surface reduction:
  • Limit traffic to specific locations.
  • Implement load balancers.
  • Block communication from outdated or unused ports, protocols, and applications.
• Anycast network diffusion:
  • Disperses traffic across multiple servers, increasing surface area and absorbing traffic spikes.
• Real-time, Adaptive Threat Monitoring:
  • Log monitoring analyzes traffic patterns, identifies spikes, and adapts to defend against malicious requests.
• Caching:
  • Content delivery networks (CDNs) cache content, reducing server load and protecting against both legitimate and malicious requests.
• Rate Limiting:
  • Restricts traffic volume over a specific timeframe, preventing servers from being overwhelmed by requests from specific IP addresses.
• DDoS Prevention Tools:
  • Web Application Firewalls (WAFs): Filter, inspect, and block malicious HTTP traffic between web applications and the internet.

Key Terms

• Botnet: A group of compromised devices
• Bot: A single compromised device
• CDN: Content Delivery Network
• WAF: Web Application Firewall
• Anycast: Network technology that allows a single IP address to represent multiple servers.
• Rate Limiting: Controls the number of requests allowed from specific IP addresses per time period.